Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hard disk file system identification

from [compuwar] Network Security [Permanent Link]
Subject: Re: Hard disk file system identification
Date: Thu, 30 Sep 2004 12:29:53 -0400 
You do *not* want to mount a drive to do any imaging.  Use dd on the
raw device (preferably behind a hardware write blocker- they're cheap
enough these days.)  If it's mounted even read-only, some of the
journaling filesystems will still update the mount count (reiser and
ext3 for sure, probably true of others.)

I generally make an image to play with and an image to have in the
safe to go back to.

You can use fdisk to read the partition table and see the partition
type, but again you really never want to do this on the original
evidence- make a copy, check the MD5s of the original and the copy,
then go to work on the copy.

Paul
-------------------------------------------------------------
paul@compuwar.net

On 30 Sep 2004 11:42:58 -0000, Nick Puetz <nickpuetz@yahoo.com> wrote:



I have received an internal hard drive that I need to image and perform some 
analysis on; however, I don't know the file system type on the disk, there 
for, I can not correctly mount it to the RedHat 9 machine I used to do my 
image creation and analysis.  Is there any way that I can identify what file 
system type is on a hard disk without jeopardizing the integrity of the hard 
disk?  Thanks for the help.

Nick



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Securely wiping a "dead" usb pen drive, PPowenski
Next by Date:  RES: Hard disk file system identification, Bernardo Santos Wernesback
Previous by Thread:  Re: Hard disk file system identification, kris carlier
Next by Thread:  RES: Hard disk file system identification, Bernardo Santos Wernesback
Indexes:  [Date] [Thread] [Top] [All Lists]